I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

single sign-on and help with patch management. What are the risks of turning off PBA.

The risks associated with turning off pre-boot authentication (PBA) are actually quite high, and it's not a recommended best practice. Pre-boot authentication is the whole point of full-disk encryption (FDE) and, in fact, is what makes FDE such a powerful tool for protecting data.

First, let's briefly explain what pre-boot authentication is and its role in FDE. Pre-boot authentication is a process that requires a user to authenticate prior to the operating system loading. In other words, on a system with pre-boot authentication installed, the user is prompted for a user ID and password before the system boots up. Once the user successfully logs in, then the operating system starts. If the user enters the wrong user ID and password, the operating system won't load and the computer locks up.

Pre-boot authentication prevents the common hacker trick of using a Linux boot disk, like Knoppix, to bypass the operating system authentication and enter the system without login credentials. Pre-boot authentication operates at a lower level than the operating system. If the OS doesn't load, then the tools that try to bypass it won't work and attackers won't even get a chance to maliciously enter the system.

Pre-boot authentication is also cross-platform. It not only blocks Linux CDs but also blocks Windows emergency disks that might be used to gain access to Microsoft systems.

Pre-boot authentication doesn't operate alone; it works hand-in-hand with FDE, operating as a front-end to FDE applications. Products such as SafeBoot, SafeGuard and SafeNet, which offer FDE, encrypt the hard drive silently in the background. The pre-boot authentication generates the key needed to encrypt the hard drive and then decrypt it later when the system is booted up again.

FDE tools are great for protecting data loss from stolen laptops. If a thief -- or malicious user, for that matter -- tries to turn on the computer, he or she will be blocked by the pre-boot authentication – and a boot disk won't help them get in either. The attacker will be stuck with an encrypted hard drive.

With PBA turned off, not only could the attacker possibly get access to the machine, but the hard drive might also not be encrypted. It's not necessary to turn off pre-boot authentication to enable single sign-on (SSO) or patch management.The commercial FDE products mentioned above can be adapted to SSO, and fully integrated with common authentication systems like Active Directory and LDAP.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy